The Children’s Online Privacy Protection Act grows up

Under the Federal Trade Commission’s (FTC) requirements implementing the Children’s Online Privacy Protection Act (COPPA), websites and services directed at children must obtain verifiable parental consent to the collection of personal information from children.

The rules took effect in 2000, and upon conclusion of a review it launched in April 2005, the FTC decided not to change them.

But what it means to be “online” has changed drastically since the late 1990s when the FTC drafted COPPA definitions. Facebook didn’t yet exist, for example—now it’s hard to find a website that doesn’t offer an easy link to share something on Facebook, Twitter or other social-networking sites. PDAs and flip-phones have given way to a new generation of easy-to-use touchscreen smartphones and the attendant mobile applications.

“[In the late 1990s], you could not engage in the same sort of networking or enjoy the same sort of interactive functionality, and you certainly couldn’t be uploading and sharing as much content and information as you can today,” says Adam Thierer, senior research fellow in the technology policy program at the Mercatus Center at George Mason University.

So in 2010, the commission launched an accelerated review of the rule, put out a call for public comment and in September 2011 published several proposed changes to the rule. The Aug. 6 supplemental notice of proposed rulemaking is the FTC’s response to the more than 350 comments the commission received on last year’s notice of proposed rulemaking. It took comments on the new proposal until Sept. 10.

“The new realities on the ground dictated that we had to rethink how COPPA applied, and here the FTC essentially undertook an effort to tweak the law to keep it in tune with those new realities … by redefining some rather important terms,” Thierer says.

Plugging In

For instance, the FTC now proposes some changes to clarify how COPPA applies to third-party features that may collect information, such as social-media plug-ins and advertising networks.

“For the original rule, nobody ever thought you’d go to a website and start saying whether you like it or not and send that information to Facebook,” says Barry Cutler, of counsel at Baker Hostetler and former director of the FTC’s Bureau of Consumer Protection. “If you’re going to get adequate compliance and protect children, you have to expand the definition to people who are getting the information, not just the people who are operating the website.”

The FTC proposes that if a site or service directed to a child integrates into its content social-networking plug-ins or other features that collect personal information, the site or service itself is considered to collect personal information—and thus is subject to COPPA requirements—because the information is collected “on its behalf,” and it benefits from the related content, functionality and/or advertising revenue. The site or services itself are in the best position to know whether it is child-directed and what sort of third-party services it integrates, the FTC notes.

Further, the FTC proposes that a website or online service considered to be “directed to children” encompasses any operator that “knows or has reason to know” it is collecting personal information through a website or online service directed to children.

The supplemental Notice of Proposed Rule Making (NPRM) specifies that in using a “reason to know” standard, the FTC is not imposing a duty on third parties such as ad networks or plug-ins to proactively investigate whether their services are incorporated into websites and services directed at children. However, the FTC says, third parties “will not be free to ignore credible information brought to their attention indicating that such is the case.”

In the ecosystem of mobile apps, these new definitions create a huge conundrum and could lead app stores to steer clear of curating children-directed apps, says Morgan Reed, executive director of the Association for Competitive Technology (ACT), an advocacy group that represents more than 3,000 small and mid-size app developers and IT firms.

“This puts application stores or platforms at risk of being liable under COPPA for receiving and managing verifiable parental consent for every single application that they have ‘reason to know’ might be directed at children,” Reed says.

Target Audiences

The FTC has also updated its definition of websites that are “directed at children.”

The supplemental NPRM recognizes that websites and services directed at children “fall along a continuum, targeting or appealing to children in varying degrees” and proposes that COPPA rules encompass websites and services that target children under age 13 or are likely to attract children under age 13 as their primary audience. Such websites will still have to treat all users as children and obtain consent before collecting any personal information.

However, websites and services with a mixed audience that might appeal to an audience of which “a disproportionately large percentage” is under age 13 will not be considered child-directed if they first take the affirmative step of age-screening all users. Such mixed-audience sites would only have to obtain verifiable parental consent for users under age 13 for the collection, use or disclosure of personal information. The proposed standard makes things “a little less burdensome” for mixed-audience sites, Cutler says.

New Information

The NPRM also expands and clarifies how the FTC will define “personal information” for COPPA purposes. Previously, COPPA covered traditional information—name, address, email, telephone number and Social Security number, for instance. The FTC now proposes that personal information include screen names and user names that enable online contact and thus rise to the level of “online contact information.” The NPRM also clarifies the definition of a category of personal information called “persistent identifiers” as information that “can be used to recognize a user over time” and across websites and services, such as cookies, IP addresses, serial numbers or device numbers.

In response to industry concerns, the FTC proposes to allow the collection of persistent identifiers to support websites and services’ “internal operations” without verifiable parental consent, which would apply to uses such as site analytics, user authentication, user preference maintenance, contextual advertising and fraud prevention. Such collection would be permitted as long as the information is not used to contact a specific individual, including behaviorally targeted advertising.

Reed says a classic example that the FTC took to heart in crafting the revisions was an ACT member who created an app to help autistic children communicate with an iPad. Under the proposal, it’s clear that she can collect information and use analytics tools to improve predictive text functionality, for instance.

“The FTC is recognizing those innovative, imaginative uses for these devices and trying to get that squeezed into that bigger-picture view they’ve had for a while,” Reed says.